change BPF_SOCK_ADDR_VERDICT_PROCEED to BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT (#4701)

andrwli · liandrew-MSFT · web-flow · commit a230bfda52f4 · 2025-10-07T01:06:18.000Z
Co-authored-by: Andrew Li &lt;liandrew@microsoft.com&gt;
diff --git a/include/ebpf_nethooks.h b/include/ebpf_nethooks.h
@@ -54,9 +54,12 @@ bind_hook_t(bind_md_t* context);
 // CGROUP_SOCK_ADDR.
 //
 
-#define BPF_SOCK_ADDR_VERDICT_REJECT 0
-#define BPF_SOCK_ADDR_VERDICT_PROCEED 1
-#define BPF_SOCK_ADDR_VERDICT_PROCEED_HARD 2
+typedef enum _ebpf_sock_addr_verdict
+{
+    BPF_SOCK_ADDR_VERDICT_REJECT,
+    BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT,
+    BPF_SOCK_ADDR_VERDICT_PROCEED_HARD
+} ebpf_sock_addr_verdict_t;
 
 #ifdef _MSC_VER
 #pragma warning(push)
@@ -136,12 +139,12 @@ EBPF_HELPER(int, bpf_sock_addr_set_redirect_context, (bpf_sock_addr_t * ctx, voi
  *
  * @param[in] context \ref bpf_sock_addr_t
  * @retval BPF_SOCK_ADDR_VERDICT_REJECT Block the socket operation. Maps to a hard block in WFP.
- * @retval BPF_SOCK_ADDR_VERDICT_PROCEED Allow the socket operation. Maps to a soft permit in WFP.
+ * @retval BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT Allow the socket operation. Maps to a soft permit in WFP.
  * @retval BPF_SOCK_ADDR_VERDICT_PROCEED_HARD Allow the socket operation. Maps to a hard permit in WFP.
  *
  * Any return value other than the ones mentioned above is treated as BPF_SOCK_ADDR_VERDICT_REJECT.
  */
-typedef int
+typedef ebpf_sock_addr_verdict_t
 sock_addr_hook_t(bpf_sock_addr_t* context);
 
 typedef enum _bpf_sock_op_type
diff --git a/netebpfext/net_ebpf_ext_sock_addr.c b/netebpfext/net_ebpf_ext_sock_addr.c
@@ -989,7 +989,7 @@ _net_ebpf_extension_connection_context_initialize(
 _Requires_exclusive_lock_held_(_net_ebpf_ext_sock_addr_contexts.lock) static uint32_t
     _net_ebpf_ext_find_and_remove_connection_context_locked(_In_ net_ebpf_extension_connection_context_t* context)
 {
-    uint32_t verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    uint32_t verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     // Check the hash table for the entry.
     net_ebpf_extension_connection_context_t* found_context =
         (net_ebpf_extension_connection_context_t*)RtlLookupElementGenericTableAvl(
@@ -1518,7 +1518,7 @@ _get_verdict_priority(uint32_t verdict)
         return 3; // Highest priority
     case BPF_SOCK_ADDR_VERDICT_PROCEED_HARD:
         return 2;
-    case BPF_SOCK_ADDR_VERDICT_PROCEED:
+    case BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT:
         return 1;
     default:
         return 0;
@@ -1631,7 +1631,7 @@ net_ebpf_extension_sock_addr_authorize_recv_accept_classify(
         goto Exit;
     }
 
-    classify_output->actionType = (result == BPF_SOCK_ADDR_VERDICT_PROCEED) ? FWP_ACTION_PERMIT : FWP_ACTION_BLOCK;
+    classify_output->actionType = (result == BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT) ? FWP_ACTION_PERMIT : FWP_ACTION_BLOCK;
     if (classify_output->actionType == FWP_ACTION_BLOCK) {
         classify_output->rights &= ~FWPS_RIGHT_ACTION_WRITE;
     }
@@ -1699,7 +1699,7 @@ net_ebpf_extension_sock_addr_authorize_connection_classify(
         // This is a re-authorization of a connection that was previously authorized by the
         // eBPF program. Permit it.
         // NOTE: Reauthorization is currently not supported for hard permit.
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
@@ -1713,7 +1713,7 @@ net_ebpf_extension_sock_addr_authorize_connection_classify(
             "The cgroup_sock_addr eBPF program is not interested in this compartment ID",
             sock_addr_ctx->compartment_id);
 
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
@@ -1724,7 +1724,7 @@ net_ebpf_extension_sock_addr_authorize_connection_classify(
     // Set action type based on verdict
     // Clear FWPS_RIGHT_ACTION_WRITE for block and hard permit.
     switch (verdict) {
-    case BPF_SOCK_ADDR_VERDICT_PROCEED:
+    case BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT:
         classify_output->actionType = FWP_ACTION_PERMIT;
         break;
     case BPF_SOCK_ADDR_VERDICT_PROCEED_HARD:
@@ -1914,7 +1914,7 @@ _cache_connection_context_verdict(
     uint32_t verdict,
     uint64_t handle)
 {
-    if (verdict != BPF_SOCK_ADDR_VERDICT_PROCEED) {
+    if (verdict != BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT) {
         // Create a connection context and add it to list for the AUTH_CONNECT layer callout to enforce the
         // verdict of the program.
         if (verdict == BPF_SOCK_ADDR_VERDICT_PROCEED_HARD) {
@@ -2017,7 +2017,7 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
             NET_EBPF_EXT_TRACELOG_LEVEL_VERBOSE,
             NET_EBPF_EXT_TRACELOG_KEYWORD_SOCK_ADDR,
             "No \"write\" right; exiting.");
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
@@ -2040,7 +2040,7 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
             NET_EBPF_EXT_TRACELOG_KEYWORD_SOCK_ADDR,
             "net_ebpf_extension_sock_addr_redirect_connection_classify - Client detach detected.",
             STATUS_INVALID_PARAMETER);
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
@@ -2051,7 +2051,7 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
     // In case of re-authorization, the eBPF programs have already inspected the connection.
     // Skip invoking the program(s) again. In this case the verdict is always to proceed (terminating).
     if (net_ebpf_sock_addr_ctx.flags & FWP_CONDITION_FLAG_IS_REAUTHORIZE) {
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         reauthorization = TRUE;
         NET_EBPF_EXT_LOG_MESSAGE_UINT64_UINT64(
             NET_EBPF_EXT_TRACELOG_LEVEL_ERROR,
@@ -2071,7 +2071,7 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
             NET_EBPF_EXT_TRACELOG_KEYWORD_SOCK_ADDR,
             "The cgroup_sock_addr eBPF program is not interested in this compartment ID.",
             sock_addr_ctx->compartment_id);
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
@@ -2091,15 +2091,15 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
             (uint64_t)sock_addr_ctx->compartment_id);
 
         // This connection was previously redirected.
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
 
     v4_mapped = (sock_addr_ctx->family == AF_INET6) && IN6_IS_ADDR_V4MAPPED((IN6_ADDR*)sock_addr_ctx->user_ip6);
 
     // Check if the eBPF program should be invoked based on the IP address family and the hook attach type.
     if (!_net_ebpf_extension_sock_addr_should_invoke_ebpf_program(filter_context, sock_addr_ctx, v4_mapped)) {
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto Exit;
     }
     net_ebpf_sock_addr_ctx.v4_mapped = v4_mapped;
@@ -2141,7 +2141,7 @@ net_ebpf_extension_sock_addr_redirect_connection_classify(
 
     if (result == EBPF_OBJECT_NOT_FOUND) {
         // No eBPF program is attached to this filter.
-        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     } else if (result != EBPF_SUCCESS) {
         // We failed to invoke at least one program in the chain, block the request.
         verdict = BPF_SOCK_ADDR_VERDICT_REJECT;
diff --git a/tests/connect_redirect/connect_redirect_tests.cpp b/tests/connect_redirect/connect_redirect_tests.cpp
@@ -326,7 +326,7 @@ _update_policy_map(
 
     // Insert / delete redirect policy entry in the map.
     destination_entry_key_t key = {0};
-    destination_entry_value_t value = {.verdict = BPF_SOCK_ADDR_VERDICT_PROCEED};
+    destination_entry_value_t value = {.verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT};
 
     if (_globals.family == AF_INET && dual_stack) {
         struct sockaddr_in6* v6_destination = (struct sockaddr_in6*)&destination;
diff --git a/tests/netebpfext_unit/netebpfext_unit.cpp b/tests/netebpfext_unit/netebpfext_unit.cpp
@@ -346,7 +346,7 @@ netebpfext_unit_invoke_sock_addr_program(
 
     switch (action) {
     case SOCK_ADDR_TEST_ACTION_PERMIT_SOFT:
-        *result = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        *result = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         break;
     case SOCK_ADDR_TEST_ACTION_PERMIT_HARD:
         *result = BPF_SOCK_ADDR_VERDICT_PROCEED_HARD;
@@ -362,7 +362,7 @@ netebpfext_unit_invoke_sock_addr_program(
             auto first_octet = &sock_addr_context->user_ip6[0];
             (*first_octet)++;
         }
-        *result = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        *result = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         break;
     case SOCK_ADDR_TEST_ACTION_FAILURE:
         return_result = EBPF_FAILED;
diff --git a/tests/sample/cgroup_count_connect4.c b/tests/sample/cgroup_count_connect4.c
@@ -32,13 +32,13 @@ count_tcp_connect4(bpf_sock_addr_t* ctx)
 {
     int retval = 0;
     if (ctx->protocol != IPPROTO_TCP) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // IP address, port #s in the context are in network byte order.
     if (ctx->user_port != ntohs(remote_port)) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
diff --git a/tests/sample/cgroup_count_connect6.c b/tests/sample/cgroup_count_connect6.c
@@ -32,13 +32,13 @@ count_tcp_connect6(bpf_sock_addr_t* ctx)
 {
     int retval = 0;
     if (ctx->protocol != IPPROTO_TCP) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // IP address, port #s in the context are in network byte order.
     if (ctx->user_port != ntohs(remote_port)) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
diff --git a/tests/sample/cgroup_mt_connect4.c b/tests/sample/cgroup_mt_connect4.c
@@ -25,15 +25,15 @@ tcp_mt_connect4(bpf_sock_addr_t* ctx)
 {
     int retval = 0;
     if (ctx->protocol != IPPROTO_TCP) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // IP address, port #s in the context are in network byte order.
     if (ctx->user_port < htons(remote_port)) {
 
         // Not one of ours, allow.
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
@@ -44,15 +44,15 @@ tcp_mt_connect4(bpf_sock_addr_t* ctx)
     }
 
     if (!(ntohs(ctx->user_port) % 2)) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // For all other port values, redirect the port to some arbitrary value.
     // REDIRECT uses the same return value as PROCEED except it updates the IP
     // address and/or port as required. (We only update the port here.)
     ctx->user_port += htons(redirect_offset);
-    retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 
 exit:
     return retval;
diff --git a/tests/sample/cgroup_mt_connect6.c b/tests/sample/cgroup_mt_connect6.c
@@ -25,15 +25,15 @@ tcp_mt_connect6(bpf_sock_addr_t* ctx)
 {
     int retval = 0;
     if (ctx->protocol != IPPROTO_TCP) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // IP address, port #s in the context are in network byte order.
     if (ctx->user_port < htons(remote_port)) {
 
         // Not one of ours, allow.
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
@@ -44,15 +44,15 @@ tcp_mt_connect6(bpf_sock_addr_t* ctx)
     }
 
     if (!(ntohs(ctx->user_port) % 2)) {
-        retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+        retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
         goto exit;
     }
 
     // For all other port values, redirect the port to some arbitrary value.
     // REDIRECT uses the same return value as PROCEED except it also updates the IP address and/or port as required.
     // (We only update the port here.)
     ctx->user_port += htons(redirect_offset);
-    retval = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 
 exit:
     return retval;
diff --git a/tests/sample/cgroup_sock_addr.c b/tests/sample/cgroup_sock_addr.c
@@ -59,7 +59,7 @@ authorize_v4(bpf_sock_addr_t* ctx, void* connection_policy_map)
 
     verdict = bpf_map_lookup_elem(connection_policy_map, &tuple_key);
 
-    return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED;
+    return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 }
 
 __inline int
@@ -75,7 +75,7 @@ authorize_v6(bpf_sock_addr_t* ctx, void* connection_policy_map)
 
     verdict = bpf_map_lookup_elem(connection_policy_map, &tuple_key);
 
-    return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED;
+    return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 }
 
 SEC("cgroup/connect4")
diff --git a/tests/sample/process_start_key.c b/tests/sample/process_start_key.c
@@ -29,7 +29,7 @@ get_start_key(bpf_sock_addr_t* ctx)
     uint32_t key = 0;
     bpf_map_update_elem(&process_start_key_map, &key, &v, 0);
 
-    return BPF_SOCK_ADDR_VERDICT_PROCEED;
+    return BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 }
 
 SEC("cgroup/connect4")
diff --git a/tests/sample/thread_start_time.c b/tests/sample/thread_start_time.c
@@ -29,7 +29,7 @@ get_thread_create_time(bpf_sock_addr_t* ctx)
     uint32_t key = 0;
     bpf_map_update_elem(&thread_start_time_map, &key, &v, 0);
 
-    return BPF_SOCK_ADDR_VERDICT_PROCEED;
+    return BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
 }
 
 SEC("cgroup/connect4")
diff --git a/tests/socket/socket_tests.cpp b/tests/socket/socket_tests.cpp
@@ -142,12 +142,12 @@ connection_test(
     _change_egress_policy_test_ingress_block(
         egress_connection_policy_map, tuple, sender_socket, receiver_socket, message, destination_address, verdict);
 
-    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     _change_egress_policy_test_ingress_block(
         egress_connection_policy_map, tuple, sender_socket, receiver_socket, message, destination_address, verdict);
 
     // Update ingress policy to allow packet.
-    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     SAFE_REQUIRE(bpf_map_update_elem(bpf_map__fd(ingress_connection_policy_map), &tuple, &verdict, EBPF_ANY) == 0);
 
     // Resend the packet. This time, it should be allowed by both the programs and the packet should reach loopback the
@@ -545,7 +545,7 @@ _update_map_entry_multi_attach(
     bool add)
 {
     _update_map_entry_multi_attach(
-        map_fd, address_family, destination_port, proxy_port, protocol, BPF_SOCK_ADDR_VERDICT_PROCEED, add);
+        map_fd, address_family, destination_port, proxy_port, protocol, BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT, add);
 }
 
 static void
@@ -671,7 +671,7 @@ multi_attach_test_common(
     SAFE_REQUIRE(map_fd != ebpf_fd_invalid);
     bpf_attach_type_t attach_type = (address_family == AF_INET) ? BPF_CGROUP_INET4_CONNECT : BPF_CGROUP_INET6_CONNECT;
 
-    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED
+    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT
                                                                     : BPF_SOCK_ADDR_VERDICT_PROCEED_HARD;
 
     // Deleting the map entry will result in the program blocking the connection.
@@ -740,7 +740,7 @@ multi_attach_test(uint32_t compartment_id, socket_family_t family, ADDRESS_FAMIL
     bpf_object_ptr object_ptrs[MULTIPLE_ATTACH_PROGRAM_COUNT];
     bpf_attach_type_t attach_type = (address_family == AF_INET) ? BPF_CGROUP_INET4_CONNECT : BPF_CGROUP_INET6_CONNECT;
 
-    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED
+    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT
                                                                     : BPF_SOCK_ADDR_VERDICT_PROCEED_HARD;
 
     // Load the programs.
@@ -820,7 +820,7 @@ void
 multi_attach_test_redirection(
     socket_family_t family, ADDRESS_FAMILY address_family, uint32_t compartment_id, uint16_t protocol)
 {
-    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED
+    uint32_t verdict = compartment_id == UNSPECIFIED_COMPARTMENT_ID ? BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT
                                                                     : BPF_SOCK_ADDR_VERDICT_PROCEED_HARD;
 
     // This test validates combination of redirection and other program verdicts.
@@ -1356,7 +1356,7 @@ TEST_CASE("multi_attach_test_invocation_order", "[sock_addr_tests][multi_attach_
     _update_map_entry_multi_attach(
         map_fd_specific, address_family, htons(SOCKET_TEST_PORT), htons(SOCKET_TEST_PORT), IPPROTO_TCP, true);
 
-    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     _update_map_entry_multi_attach(
         map_fd_wildcard, address_family, htons(SOCKET_TEST_PORT), htons(SOCKET_TEST_PORT), IPPROTO_TCP, verdict);
 
@@ -1385,7 +1385,7 @@ TEST_CASE("multi_attach_test_invocation_order", "[sock_addr_tests][multi_attach_
     _update_map_entry_multi_attach(
         map_fd_wildcard, address_family, htons(SOCKET_TEST_PORT), htons(SOCKET_TEST_PORT), IPPROTO_TCP, true);
 
-    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED;
+    verdict = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;
     _update_map_entry_multi_attach(
         map_fd_specific, address_family, htons(SOCKET_TEST_PORT), htons(SOCKET_TEST_PORT), IPPROTO_TCP, verdict);
 
diff --git a/tests/stress/km/stress_tests_km.cpp b/tests/stress/km/stress_tests_km.cpp

Original file line number	Diff line number	Diff line change
`@@ -32,13 +32,13 @@ count_tcp_connect4(bpf_sock_addr_t* ctx)`
`32`	`32`	`{`
`33`	`33`	`int retval = 0;`
`34`	`34`	`if (ctx->protocol != IPPROTO_TCP) {`
`35`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`35`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`36`	`36`	`goto exit;`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`// IP address, port #s in the context are in network byte order.`
`40`	`40`	`if (ctx->user_port != ntohs(remote_port)) {`
`41`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`41`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`42`	`42`	`goto exit;`
`43`	`43`	`}`
`44`	`44`
Original file line number	Diff line number	Diff line change
`@@ -32,13 +32,13 @@ count_tcp_connect6(bpf_sock_addr_t* ctx)`
`32`	`32`	`{`
`33`	`33`	`int retval = 0;`
`34`	`34`	`if (ctx->protocol != IPPROTO_TCP) {`
`35`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`35`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`36`	`36`	`goto exit;`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`// IP address, port #s in the context are in network byte order.`
`40`	`40`	`if (ctx->user_port != ntohs(remote_port)) {`
`41`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`41`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`42`	`42`	`goto exit;`
`43`	`43`	`}`
`44`	`44`
Original file line number	Diff line number	Diff line change
`@@ -25,15 +25,15 @@ tcp_mt_connect4(bpf_sock_addr_t* ctx)`
`25`	`25`	`{`
`26`	`26`	`int retval = 0;`
`27`	`27`	`if (ctx->protocol != IPPROTO_TCP) {`
`28`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`28`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`29`	`29`	`goto exit;`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`// IP address, port #s in the context are in network byte order.`
`33`	`33`	`if (ctx->user_port < htons(remote_port)) {`
`34`	`34`
`35`	`35`	`// Not one of ours, allow.`
`36`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`36`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`37`	`37`	`goto exit;`
`38`	`38`	`}`
`39`	`39`
`@@ -44,15 +44,15 @@ tcp_mt_connect4(bpf_sock_addr_t* ctx)`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`if (!(ntohs(ctx->user_port) % 2)) {`
`47`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`47`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`48`	`48`	`goto exit;`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`// For all other port values, redirect the port to some arbitrary value.`
`52`	`52`	`// REDIRECT uses the same return value as PROCEED except it updates the IP`
`53`	`53`	`// address and/or port as required. (We only update the port here.)`
`54`	`54`	`ctx->user_port += htons(redirect_offset);`
`55`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`55`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`56`	`56`
`57`	`57`	`exit:`
`58`	`58`	`return retval;`
Original file line number	Diff line number	Diff line change
`@@ -25,15 +25,15 @@ tcp_mt_connect6(bpf_sock_addr_t* ctx)`
`25`	`25`	`{`
`26`	`26`	`int retval = 0;`
`27`	`27`	`if (ctx->protocol != IPPROTO_TCP) {`
`28`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`28`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`29`	`29`	`goto exit;`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`// IP address, port #s in the context are in network byte order.`
`33`	`33`	`if (ctx->user_port < htons(remote_port)) {`
`34`	`34`
`35`	`35`	`// Not one of ours, allow.`
`36`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`36`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`37`	`37`	`goto exit;`
`38`	`38`	`}`
`39`	`39`
`@@ -44,15 +44,15 @@ tcp_mt_connect6(bpf_sock_addr_t* ctx)`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`if (!(ntohs(ctx->user_port) % 2)) {`
`47`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`47`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`48`	`48`	`goto exit;`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`// For all other port values, redirect the port to some arbitrary value.`
`52`	`52`	`// REDIRECT uses the same return value as PROCEED except it also updates the IP address and/or port as required.`
`53`	`53`	`// (We only update the port here.)`
`54`	`54`	`ctx->user_port += htons(redirect_offset);`
`55`		`- retval = BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`55`	`+ retval = BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`56`	`56`
`57`	`57`	`exit:`
`58`	`58`	`return retval;`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ authorize_v4(bpf_sock_addr_t* ctx, void* connection_policy_map)`
`59`	`59`
`60`	`60`	`verdict = bpf_map_lookup_elem(connection_policy_map, &tuple_key);`
`61`	`61`
`62`		`- return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`62`	`+ return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`__inline int`
`@@ -75,7 +75,7 @@ authorize_v6(bpf_sock_addr_t* ctx, void* connection_policy_map)`
`75`	`75`
`76`	`76`	`verdict = bpf_map_lookup_elem(connection_policy_map, &tuple_key);`
`77`	`77`
`78`		`- return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`78`	`+ return (verdict != NULL) ? *verdict : BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`SEC("cgroup/connect4")`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ get_start_key(bpf_sock_addr_t* ctx)`
`29`	`29`	`uint32_t key = 0;`
`30`	`30`	`bpf_map_update_elem(&process_start_key_map, &key, &v, 0);`
`31`	`31`
`32`		`- return BPF_SOCK_ADDR_VERDICT_PROCEED;`
	`32`	`+ return BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT;`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`SEC("cgroup/connect4")`